China Issues Final Rules for Cro...
China Issues Final Rules for Cross-Borde...

China Issues Final Rules for Cross-Border Transfer Security Assessments

These measures lay out the conditions, procedures, and next steps to follow when executing overseas transfers

Alexis Kateifides OneTrust Senior Center of Excellence Counsel

clock3 Min Read

Featured Image

The Cyberspace Administration of China (CAC) issued a set of final rules that will apply to organizations looking to conduct overseas transfers of data out of the People’s Republic of China. These rules build off a draft version, issued at the end of October 2021, and follow other recent developments (e.g., the CAC SCCs draft, and the TC260’s Technical Specification for the Certification of Cross-Border Processing of Personal Information). 

The final rules cover the following points: 

Cross-border data transfers requiring security assessments 

The CAC has defined which cross-border transfers need to undergo government security assessments. These transfers include:  

  • Transfer of important data 
  • Critical information infrastructure operators and data processors that process PI of more than 1 million individuals 
  • Data processors who have transferred PI of 100,000 individuals or sensitive PI (SPI) of 10,000 individuals abroad since January 1st of the previous year
  • Other situations as stipulated by the CAC 

The term “important data” is defined within the rules as data that may endanger national security, economic operations, social stability, or public health and security if it is tampered with, destroyed, leaked, or illegally obtained or used.  

Procedures and timeline of the CAC security assessment 

Prior to applying for a security assessment, the organization exporting data must also conduct a self-assessment with a report that includes the following points: 

  • Justification of the transfer’s necessity 
  • An assessment of the recipient country’s data protection policies and regulations, and whether the recipient meets requirements under the laws of China 
  • The scope, size, type, and sensitivity of the data and the risks of it being tampered with or destroyed 
  • Whether responsibilities and obligations have been fully stipulated in the contract between the transferor and the recipient 

While the CAC security assessment remains valid for two years, in the case of changes to the transfer circumstances, the recipient country’s data laws, or other major situational changes, a new assessment must be conducted. 

What this means for organizations 

The final rules are set to take effect on September 1, 2022. As with the entry into effect of the PIPL and DSL, this leaves a small amount of time for organizations to prepare for compliance. This means that the affected organizations need to look at their current cross-border transfer mechanisms over the next two months and adjust them accordingly. 

These rules issued by the CAC come on the heels of draft SCCs dealing with the transfer of PI out of China. With the CAC making a clear push to regulate overseas transfers out of China, organizations need to ensure they are on top of these regulations with the appropriate compliance measures in place.  

OneTrust DataGuidance

You Might Also Be Interested In

NOVEMBER 28, 2022

From Sapin II to Sapin III: France’s anti-corruption fight

NOVEMBER 25, 2022

7 myths about SOC 2 compliance

NOVEMBER 18, 2022

What every Chief Privacy Officer should know  about third-party risk management

NOVEMBER 17, 2022

The role of disclosures in risk assessment and mitigation 

NOVEMBER 15, 2022

US climate risk rule could affect more than 5,700 federal suppliers

NOVEMBER 14, 2022

The COP27 climate summit: What to expect and why it matters

NOVEMBER 10, 2022

CSRD update: EU approves new ESG disclosure rules

NOVEMBER 9, 2022

SOC 2: Starting your audit process

Onetrust All Rights Reserved